Agenda item

This report presents the Information Commissioner's Office (ICO) Audit Action Plan progress update, prior to the ICO returning to review progress in December 2024.

This report presented the Information Commissioner's Office (ICO) Audit Action Plan progress update, prior to the ICO returning to review progress in December 2024.

The report was presented by the Head of Information Management and Governance who provided the following information:

·  The report presented the Information Commissioner’s Office (ICO) audit action plan progress to date, prior to the ICO returning in December to review progress.

·  As at the 13^th September of the 50 recommendations 22% of the actions have been completed, 69% are in progress and 9% are still to be started. It was noted that 1 action was overdue but was going through its approval process and consideration had been given to the potential effect on other actions.

·  Members were informed that the ICO had applied a priority rating to the recommendations, with many of the recommendations requiring large scale work.

·  Many of the actions were linked by themes, with an example given that one document could address in the region of four or five actions.

·  The Committee noted that the ICO had been made aware that the service will be continuing to implement 4 of the recommendations into 2025. These are in relation to large scale actions that the service would be unable to robustly implement with existing technology and with the scale of the Council. Members will be kept up date on progress through the annual report.

·  Since the report was submitted there had been developments that will affect actions relating to managing personal data breaches. The team is due to make the process more efficient using Microsoft Power Apps. Unfortunately works surrounding the Council’s Public Services Network (PSN) certificate meant the development of the data breach power app was paused. Therefore, the service has had to consider meeting 5 actions by alternative means. It was noted that the service has now been advised that it should be able to restart the power app work. However, it was unlikely that this will be fully completed by the start of December. It was the view that the service required the best system that it could get and had made the ICO aware that some actions could be delayed.

·  The Head of Information Management and Governance gave his assurance that every single action had been reviewed and that other than those already mentioned within the report which will be implemented going into 2025, all other actions are on track to be completed before the ICO undertake their review in December 2024. 

·  It was noted that the ICO will either sign off the action plan work, noting the work to do going forward, or they may review again in 6 months. It was stated that Members will be provided with an update on the action plan in February 2025.

Discussions included:

·  Issues relating to what was required to achieve the recommendations set out by the ICO.

·  It was noted that measures and plans are in place to try and mitigate major incidents occurring along with response and recovery plans should a major incident take place.

·  The Committee noted that the action plan was key, with service level spot checks auditing which is part of the recommendations. From a top level there are improvements to be made to the Information Governance Framework in relation to processes and procedures. The Service knows that it needs to close the loop with the Assurance Framework with an end result that the Council should have an Information Governance and Assurance Framework for continuous improvement. For future reports it is the proposal that the Committee will receive the assessment and ongoing action plan and improvements. Members were advised that as part of the recommendation it was to review the need for external audit, and this may happen every 3 to 5 years to ensure that the Assurance Framework is robust. 

RESOLVED – To note the good progress made towards completing the action plan prior to the ICO review in December 2024, noting the completed actions to date and the actions due for future completion.